Reflexive Access List

Some of my readers commented on my old article about reflexive access-list with issues in the configuration. I tried it in the lab again to be sure I didn’t make any mistake in the configuration example and here I’m sharing the lab and the config used.

About Reflexive Access Lists

Extended ACLs are a special kind of extended access-lists that have limited stateful behaviour technique implemented for TCP sessions. It is better to say that reflexive access-list is simulating stateful behaviour because it, by use of ‘established’ command, is allowing TCP packets that have the ‘ACK’ bit set but not the initial ‘SYN-only’ packet. In this way, we are effectively permitting only the packets that are part of an established session.

In my prior article, I showed how this works by enabling PING from PC1 in VLAN 10 to PC2 in VLAN 20 but not the other way.

I created the lab topology in GNS3:

I used standard Cisco router image to simulate R1 and PC1 and PC2 I only changed the icon on PC1 and PC2. Full configs are at the bottom. I configured the router-on-the-stick making the simplest topology with trunk between the switch and the R1 and two VLANs on the SWITCH. Switch config is also at the bottom.

This reflexive access-list is allowing traffic back from VLAN20 (20.20.20.0/24) to VLAN10 (10.10.10.0/24) only if the traffic was firstly initiated from VLAN10. In this way, only PING initiated at PC1 (10.10.10.10) towards PC2 (20.20.20.10) will succeed but PING from 20.20.20.10 to 10.10.10.10 will give you IP address unreachable:

So, it seems that the lab is showing I did it on my first try few years ago. I hope this lab with complete configuration will help my readers that reached back to me, to find where they went wrong. Of course, if you need more help, just leave a comment and I will try to help 🙂

You can also download GNS3 lab project here to get started with working thing from the start. I made this in GNS3 version 2.0